CN110300065B - Application flow identification method and system based on software defined network - Google Patents

Application flow identification method and system based on software defined network Download PDF

Info

Publication number
CN110300065B
CN110300065B CN201910631480.4A CN201910631480A CN110300065B CN 110300065 B CN110300065 B CN 110300065B CN 201910631480 A CN201910631480 A CN 201910631480A CN 110300065 B CN110300065 B CN 110300065B
Authority
CN
China
Prior art keywords
identification
application
application traffic
subfield
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910631480.4A
Other languages
Chinese (zh)
Other versions
CN110300065A (en
Inventor
夏俊
钟赟
汤嘉佳
彭雨婷
杨炳丰
吴飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Group Trade Union Shanghai Committee
Original Assignee
China Telecom Group Trade Union Shanghai Committee
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Group Trade Union Shanghai Committee filed Critical China Telecom Group Trade Union Shanghai Committee
Priority to CN201910631480.4A priority Critical patent/CN110300065B/en
Publication of CN110300065A publication Critical patent/CN110300065A/en
Application granted granted Critical
Publication of CN110300065B publication Critical patent/CN110300065B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2475Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/31Flow control; Congestion control by tagging of packets, e.g. using discard eligibility [DE] bits

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a software defined network-based application traffic identification method and system, which relate to the technical field of network communication and comprise that a switch acquires application traffic of a user terminal and copies the application traffic to an identification control module; the switch generates a connection tracking table according to the application flow, wherein the connection tracking table comprises a first sub-field and a second sub-field; the identification control module analyzes the first subfield and the second subfield according to a preset rule, and calls an identification engine to identify the application traffic according to a pre-generated identification feature matching library when determining to identify the application traffic according to an analysis result: if the identification is successful, recording the identification mark of the application flow in a first subfield; and if the identification is not successful, adding the identification times of the application traffic and updating the second subfield. The invention identifies the application flow by the minimum change amount, increases the service flexibility, reduces the system overhead and reduces the network pressure from the exchanger to the controller.

Description

Application flow identification method and system based on software defined network
Technical Field
The invention relates to the technical field of network communication, in particular to an application flow identification method and system based on a software defined network.
Background
With the rapid development of internet services and the increased competition of bandwidth access, the volume difference of operators is continuously expanding, the traditional pure pipeline operation mode faces more and more challenges, and the intelligent pipeline is becoming the direction for operators to carry out transformation exploration. To achieve intelligent pipeline, one of the prerequisites is to identify applications in the network. The software defined network separates the control plane and the data plane of the network device through Openflow, thereby realizing flexible control of network flow, enabling the network to be more intelligent as a pipeline, providing a good platform for innovation of a core network and application, and identifying various application programs in the network for realizing flexible control of the network flow, so that the application programs are important to be identified quickly and accurately.
In the prior art, application identification is generally achieved by technologies such as quintuple identification and Deep Packet Inspection (DPI). The quintuple identification analyzes the contents below four layers of the IP packet, such as source address, destination address, source port, destination port, protocol type and other information; the method has the characteristics that the identification efficiency is high, the method is suitable for being realized on some devices with limited performance, but the accuracy is low, and particularly, the application types in the flow cannot be really judged only through IP addresses and port information along with the continuous enrichment of the application types on the network and the increase of the application types transmitted based on open ports, random ports and even encryption modes. The DPI technology increases the analysis of an application layer on the basis of the four-layer message analysis, and effectively improves the identification accuracy. However, in the software defined network, since Openflow cannot analyze and identify the application layer of the data packet, the control capability of Openflow in the application layer is limited.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides an application flow identification method based on a software defined network, wherein the software defined network comprises a controller and a switch connected with the controller;
setting an identification control module and an identification engine in the switch, wherein the identification control module and the identification engine are connected in parallel in the software defined network;
the software defined network further comprises a user terminal, and the user terminal is accessed to the software defined network through the switch;
the application flow identification method specifically comprises the following steps:
step S1, the switch acquires the application flow of the user terminal and copies the application flow to the identification control module according to a forwarding flow table generated and issued in advance by the controller;
step S2, the switch generates a corresponding connection tracking table according to the application traffic, wherein the connection tracking table comprises a first field aiming at the application traffic, and the first field comprises a first sub-field used for recording an identification mark and a second sub-field used for recording identification times;
and S3, the identification control module respectively analyzes the first subfield and the second subfield according to a preset rule and determines whether to identify the application traffic according to an analysis result:
if yes, turning to step S4;
if not, discarding the application flow, and then quitting;
step S4, the control module calls the recognition engine and recognizes the application flow according to a recognition feature matching library generated and issued in advance by the controller, wherein the recognition feature matching library comprises feature values corresponding to the application flow generated by each application program in the user terminal and recognition marks corresponding to the application flow generated by each application program defined in advance:
if the identification is successful, recording the identification mark corresponding to the application traffic in the first subfield corresponding to the application traffic, and then exiting;
and if the identification is not successful, adding the identification times corresponding to the application flow together to update the second subfield, and then exiting.
Preferably, the step S3 specifically includes:
step S31, the identification control module acquires the connection tracking table corresponding to the application flow;
step S32, the identification control module analyzes the first sub-field of the connection tracking table:
if the analysis result shows that the identification mark exists in the first subfield, the application traffic is identified application traffic, and then quitting;
if the analysis result indicates that the identification mark does not exist in the first subfield, the application traffic is unidentified application traffic, and then the process goes to step S33;
step S33, the identification control module analyzes the second subfield of the connection tracking table to obtain the identification times of the application traffic, and compares the identification times with a preset identification threshold:
if the identification frequency is smaller than the identification threshold, turning to step S4;
and if the identification times are not less than the identification threshold, discarding the application flow, and then quitting.
Preferably, the step S4 specifically includes:
step S41, the identification control module extracts the characteristic value of the application flow and the connection tracking table, wherein the characteristic value is a quintuple;
step S42, the identification control module calls the identification engine to retrieve in the preset identification feature matching library according to the feature value:
if the matched characteristic value is retrieved, the identification is successful, the identification identifier corresponding to the application traffic is recorded in the first sub-field of the connection tracking table corresponding to the application traffic, and then the exit is carried out;
and if the matched characteristic value is not retrieved, the identification is failed, and the identification times in the second sub-field in the connection tracking table corresponding to the application traffic are increased by one to update the second sub-field, and then the process is exited.
Preferably, the method further includes a process of updating the identification feature matching library, specifically including:
step A1, the controller detects the update information of each application program in the software defined network in real time and sends the detected update information to the identification control module;
and step A2, the identification control module updates the identification feature matching library according to the updating information.
Preferably, the identification feature matching library adopts a rough matching mode.
Preferably, the recognition feature matching library adopts a high-precision matching mode.
An application traffic identification system based on a software defined network, which applies any one of the above application traffic identification methods based on the software defined network, specifically includes:
a switch, the switch comprising:
the data acquisition module is used for acquiring the application flow of the user terminal connected with the switch;
a data generating module, connected to the data acquiring module, configured to generate a corresponding connection tracking table according to the application traffic, where the connection tracking table includes a first field for the application traffic, and the first field includes a first subfield for recording an identification identifier and a second subfield for recording identification times;
the data copying module is connected with the data acquisition module and used for copying and outputting the application flow according to a forwarding flow table which is generated in advance and issued;
and the identification control module is respectively connected with the data copying module and the data generating module and is used for respectively analyzing the first sub-field and the second sub-field according to a preset rule and calling the identification engine to identify the application traffic according to a pre-generated and issued identification feature matching library when the analysis result of the identification control module indicates that the application traffic is identified.
And the controller is connected with the switch, is used for generating the forwarding flow table and the identification matching library, and sends the forwarding flow table and the identification matching library to the switch.
Preferably, the system further comprises a data fine analysis system, which is respectively connected to the controller and the switch, and is used for performing fine analysis according to the recognition result of the recognition control module in the switch and sending the fine analysis result to the controller;
the fine analysis result comprises an application corresponding to the application traffic, and/or a use time period of the application traffic, and/or a terminal device carried by the application traffic;
and the controller generates a next forwarding path of the application flow according to the fine analysis result.
Preferably, the identification control module specifically includes:
the data acquisition unit is used for acquiring the connection tracking table corresponding to the application flow;
the first analysis unit is connected with the data acquisition unit and used for analyzing the first subfield of the connection tracking table and outputting a first analysis result;
a first judging unit, connected to the first analyzing unit, configured to judge whether an identifier exists in the first subfield according to the first analysis result:
if the identification mark exists in the first subfield, a first judgment result output by the first judgment unit indicates that the application traffic is identified application traffic;
if the identification mark does not exist in the first subfield, the second judgment result output by the first judgment unit represents that the application traffic is unidentified application traffic;
the second analysis unit is respectively connected with the data acquisition unit and the first judgment unit and is used for analyzing the second subfield of the connection tracking table according to the second judgment result and outputting a second analysis result;
the second analysis result is the identification frequency of the application flow;
the second judging unit is connected with the second analyzing unit and used for comparing the second analyzing result with a preset identification threshold value:
if the identification frequency is less than the identification threshold, the third judgment result output by the second judgment unit indicates that the application flow needs to be identified;
if the identification frequency is not less than the identification threshold, a fourth judgment result output by the second judgment unit indicates that the application traffic cannot be identified;
the first processing unit is connected with the second judging unit and used for calling the recognition engine to recognize the application flow according to the third judging result;
and the second processing unit is connected with the second judging unit and used for discarding the application flow according to the fourth judging result.
Preferably, the first processing unit specifically includes:
the data acquisition subunit is used for acquiring a characteristic value of the application flow and the connection tracking table, wherein the characteristic value is a quintuple;
an identification subunit, connected to the data acquisition subunit, and configured to perform retrieval in a preset identification feature matching library according to the feature value, where the identification feature matching library includes a feature value corresponding to the application traffic generated by each application program in the user terminal and an identification identifier corresponding to the application traffic generated by each predefined application program;
a judging subunit, connected to the identifying subunit, and configured to judge whether the matched feature value is retrieved:
if the matched characteristic value is retrieved, a fifth judgment result output by the judgment subunit indicates that the application traffic identification is successful;
if the matched characteristic value is not retrieved, a sixth judgment result output by the judgment subunit indicates that the application flow is not successfully identified;
the first processing subunit, connected to the judging subunit, is configured to record, according to the fifth judgment result, the identification identifier corresponding to the application traffic in the first subfield corresponding to the application traffic;
and the second processing subunit is connected with the judging subunit and is used for adding one to the identification times in the second subfield corresponding to the application traffic and updating the identification times into the second subfield.
The technical scheme has the following advantages or beneficial effects:
1) By carrying out application identification on the application flow and marking the identified application flow with an identification mark, different processing can be carried out on the identified application flow according to an identification result while the application flow is identified, the control capability of Openflow on an application layer is expanded, and the service flexibility is effectively increased;
2) The original connection tracking table in the linux system is subjected to extension definition, different application flows are identified in a way of identifying quintuple and an identification mark, no additional module is needed, and the minimum change amount is realized;
3) The identification work of the application flow is completed on the switch, the application flow does not need to be sent to the controller, and the network pressure from the switch to the controller is effectively reduced;
4) Through the control of the identification control module, the situation that the application flow which exceeds the identification threshold and cannot be identified repeatedly enters the identification engine for identification is avoided, the system overhead is effectively reduced, and the system burden is reduced.
Drawings
FIG. 1 is a flow chart illustrating a method for identifying application traffic based on a SDN according to a preferred embodiment of the present invention;
FIG. 2 is a flow chart illustrating an analysis process of the recognition control module according to a preferred embodiment of the present invention;
FIG. 3 is a flow chart illustrating an identification process of the identification control module according to a preferred embodiment of the present invention;
FIG. 4 is a flow chart illustrating the update of the IDC library according to the preferred embodiment of the present invention;
fig. 5 is a schematic structural diagram of an application traffic identification system based on a software defined network according to a preferred embodiment of the present invention.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments. The present invention is not limited to the embodiment, and other embodiments may be included in the scope of the present invention as long as the gist of the present invention is satisfied.
In a preferred embodiment of the present invention, based on the above problems in the prior art, there is provided an application traffic identification method based on a software-defined network, where the software-defined network includes a controller and a switch connected to the controller;
an identification control module and an identification engine are arranged in the switch, and the identification control module and the identification engine are connected in parallel in the software defined network;
the system also comprises a user terminal, wherein the user terminal is accessed to the software defined network through a switch;
as shown in fig. 1, the application traffic identification method specifically includes:
the method comprises the following steps that S1, an exchanger acquires application flow of a user terminal, and copies the application flow to an identification control module according to a forwarding flow table generated and issued in advance by a controller;
s2, the switch generates a corresponding connection tracking table according to the application flow, wherein the connection tracking table comprises a first field for the application flow, and the first field comprises a first sub-field for recording the identification and a second sub-field for recording the identification times;
and S3, the identification control module respectively analyzes the first subfield and the second subfield according to a preset rule and determines whether to identify the application flow according to an analysis result:
if yes, turning to step S4;
if not, discarding the application flow, and then quitting;
step S4, the recognition control module calls a recognition engine and recognizes the application flow according to a recognition feature matching library generated and issued in advance by the controller, wherein the recognition feature matching library comprises feature values corresponding to the application flow generated by each application program in the user terminal and recognition marks corresponding to the application flow generated by each application program defined in advance:
if the identification is successful, recording the identification mark corresponding to the application flow in a first subfield corresponding to the application flow, and then quitting;
and if the identification is not successful, adding the identification times corresponding to the application flow and updating the second subfield, and then exiting.
Specifically, in this embodiment, the switch is an SDN switch, the identification control module and the identification engine of the DPI are set in a user mode of the SDN switch and are connected in parallel in a data forwarding process of the software defined network, and analysis and forwarding of the application traffic are separated by performing deep analysis after copying the application traffic, so that forwarding stationarity of the application traffic is not affected. In this embodiment, the SDN switch first copies the application traffic flowing through a forwarding flow table preset and issued by the controller, and forwards the copied application traffic to the identification control module of the DPI, and then filters the received application traffic through the identification control module, instead of directly identifying the copied application traffic after copying, thereby effectively preventing the unrecognized application traffic from repeatedly entering the identification process, increasing unnecessary system overhead and system burden.
Furthermore, by means of extending and defining a first field, namely, a ct _ mark field, of an original connection tracking table of a linux system of the SND switch, setting the high 26 bits of the ct _ mark field as a first subfield, namely, an APP _ ID field, for recording an identification mark of an application traffic identification result, and setting the low 6 bits of the ct _ mark field as a second subfield, namely, a Count field, for recording the identification times of unidentified application traffic, identifying the application traffic by distinguishing quintuple groups, adding an identification mark to the identified application traffic, counting the identification times of the unidentified application traffic without adding an additional module, namely, by directly using the existing functions of the linux system, the identification of the application traffic is realized on the premise of minimum improvement amount. The five-tuple includes information such as a source address, a destination address, a source port, a destination port, and a protocol type.
In a preferred embodiment of the present invention, as shown in fig. 2, step S3 specifically includes:
step S31, the identification control module acquires a connection tracking table corresponding to the application flow;
step S32, the recognition control module analyzes the first sub-field of the connection tracking table:
if the analysis result shows that the identification mark exists in the first subfield, the application traffic is identified application traffic, and then quitting;
if the analysis result indicates that the first subfield does not have the identification mark, the application traffic is unidentified application traffic, and then the process goes to step S33;
step S33, the identification control module analyzes the second subfield of the connection tracking table to obtain the identification number of the application traffic, and compares the identification number with a preset identification threshold:
if the identification times are less than the identification threshold, turning to step S4;
and if the identification times are not less than the identification threshold, discarding the application flow, and then quitting.
Specifically, in this embodiment, when the application traffic first enters the identification control module, the first subfield, that is, the APP _ ID field, in the connection tracking table corresponding to the application traffic is empty, that is, the application traffic is not identified, and the second subfield, that is, the number of identifications in the Count field, of the connection tracking table corresponding to the application traffic is zero, that is, the application traffic is not identified, at this time, the identification control module does not enable the protection mechanism, and directly identifies the application traffic.
Further specifically, if the application traffic does not enter the identification control module for the first time, the identification control module first checks a first subfield, i.e., an APP _ ID field, in the connection tracking table corresponding to the application traffic, and if the first subfield, i.e., the APP _ ID field has an identification, it indicates that the application traffic is identified, and it is not necessary to identify again; if the first sub-field, that is, the APP _ ID field, is empty, it indicates that the application traffic is not recognized, at this time, the recognition control module checks a second sub-field, that is, a Count field, in the connection tracking table corresponding to the application traffic, and if the recognition times in the second sub-field, that is, the Count field, has reached the recognition threshold, it indicates that after multiple recognitions, the recognition control module still cannot recognize the application traffic, and does not need to recognize again; if the identification frequency in the second subfield, i.e. the Count field, does not reach the identification threshold, it indicates that after multiple identifications, the identification control module has not identified the application traffic, but can continue to try to identify until the identification frequency reaches the identification threshold.
In a preferred embodiment of the present invention, as shown in fig. 3, step S4 specifically includes:
s41, extracting a characteristic value of the application flow and a connection tracking table by the identification control module, wherein the characteristic value is a quintuple;
step S42, the identification control module calls an identification engine to retrieve in a preset identification feature matching library according to the feature value:
if the matched characteristic value is retrieved, the identification is successful, the identification identifier corresponding to the application flow is recorded in a first sub-field in a connection tracking table corresponding to the application flow, and then the process is exited;
and if the matched characteristic value is not retrieved, the identification is failed, and the identification times in the second sub-field in the connection tracking table corresponding to the application traffic are increased by one to update the second sub-field, and then the process is exited.
Specifically, in this embodiment, after receiving the application traffic to be identified, the identification control module identifies the application traffic by distinguishing a characteristic value of the application traffic, that is, a quintuple of the application traffic. In the identification control module, an identification feature matching library issued by the controller is pre-stored, wherein the identification feature matching library comprises feature values corresponding to application traffic generated by a plurality of application programs in the user terminal and identification marks predefined for the application traffic generated by each application program, so that when the feature values corresponding to the application traffic are identified, corresponding identification marks are marked for the application traffic. Meanwhile, when the characteristic value corresponding to the application flow is not identified, the identification times of the application flow are accumulated and updated.
In a preferred embodiment of the present invention, a process of updating the identification feature matching library is further included, as shown in fig. 4, which specifically includes:
a1, a controller detects update information of each application program in a software defined network in real time and sends the detected update information to an identification control module;
and step A2, the identification control module updates the identification feature matching library according to the update information.
Specifically, in this embodiment, the identification feature matching library is issued by the controller to the identification control module for identifying the application traffic, but after a period of time of use, each application program of the user terminal may perform corresponding update including the version, and at this time, the application traffic generated by the application program cannot be matched with the feature value in the original identification feature matching library, so that the controller is required to perform corresponding update on the identification feature matching library in time when detecting that the corresponding application program is updated, thereby effectively ensuring the identification accuracy.
In the preferred embodiment of the present invention, the identification feature matching library adopts a rough matching method.
In the preferred embodiment of the present invention, the recognition feature matching library adopts a high-precision matching method.
Specifically, in this embodiment, the recognition feature matching library of the present invention may be dynamically loaded through generation management of the controller to meet different user requirements. Specifically, in a default state, that is, under the condition that a user does not have an accurate requirement, the identification feature matching library issued by the controller is a coarse acquisition feature matching library, and at this time, the identification feature matching library adopts a coarse matching mode, that is, only a large class of service corresponding to the application flow can be identified by matching the feature values in the coarse acquisition feature matching library, that is, quintuple information, but different application protocols in the same large class of service cannot be identified. For example, by coarsely collecting the feature matching library, it can be identified that the application traffic is generated by the video application, and it cannot be accurately matched to which specific application, such as the love art, the kurto or the Tencent video, the video application is generated. The device load can be effectively reduced by adopting a rough matching mode under the condition of meeting the basic requirements of users.
Under the condition that a user puts forward an accurate requirement, the identification feature matching library issued by the controller is a high-precision matching library, and at the moment, the identification feature matching library adopts a high-precision matching mode, namely, by matching a feature value in the high-precision feature matching library, namely quintuple information, not only can a large class of service corresponding to application flow be identified, but also different application protocols in the same large class of service can be identified. For example, the application traffic generated by the video-class application can be identified through the high-precision feature matching library, and the video-class application generated by which specific application such as love art, cool or Tencent video is generated can be accurately matched.
An application traffic identification system based on a software-defined network, which applies any one of the above application traffic identification methods based on the software-defined network, as shown in fig. 5, specifically includes:
switch 1, switch 1 includes:
a data obtaining module 11, configured to obtain an application traffic of the user terminal 2 connected to the switch 1;
the data generating module 12 is connected to the data acquiring module 11, and is configured to generate a corresponding connection tracking table according to the application traffic, where the connection tracking table includes a first field for the application traffic, and the first field includes a first subfield for recording the identification identifier and a second subfield for recording the identification frequency;
the data copying module 13 is connected to the data obtaining module 12, and is configured to copy and output the application traffic according to a forwarding flow table generated in advance and issued;
and the identification control module 14 is respectively connected with the data copying module 13 and the data generating module 12, and is configured to analyze the first subfield and the second subfield according to a preset rule, and when an analysis result of the identification control module 14 indicates that the application traffic is identified, call the identification engine 15 to identify the application traffic according to a pre-generated and issued identification feature matching library.
And the controller 3 is connected with the switch 1, is used for generating a forwarding flow table and a recognition matching library, and is issued to the switch 1.
In a preferred embodiment of the present invention, the present invention further comprises a data fine analysis system 4, which is respectively connected to the controller 3 and the switch 1, and is configured to perform fine analysis according to the recognition result of the recognition control module 14 in the switch 1 and send the fine analysis result to the controller 3;
the fine analysis result comprises an application program corresponding to the application flow, and/or the use time period of the application flow, and/or the terminal equipment carried by the application flow;
and the controller 3 generates a next forwarding path of the application traffic according to the fine analysis result.
Specifically, in this embodiment, the identification result of the identification control module 14 is fed back to the controller 3 through the data fine analysis system 4 at regular time, so that the controller 3 can generate a more accurate processing flow table according to the identification result of each application traffic, and the processing flow table includes an optimal forwarding path planned for each identified application traffic, so that the SDN switch can perform different processing on different applications corresponding to each application traffic according to the processing flow table, thereby increasing service flexibility.
In a preferred embodiment of the present invention, the recognition control module 14 specifically includes:
the data acquisition unit 141 is configured to acquire a connection tracking table corresponding to the application traffic;
the first analysis unit 142 is connected to the data acquisition unit 141, and is configured to analyze a first subfield of the connection tracking table and output a first analysis result;
the first determining unit 143, connected to the first analyzing unit 142, is configured to determine whether the identifier exists in the first subfield according to the first analysis result:
if the first subfield has the identification flag, the first determination result output by the first determination unit 143 indicates that the application traffic is identified application traffic;
if the first subfield does not have the identification flag, the second determination result output by the first determining unit 143 indicates that the application traffic is unidentified application traffic;
the second analysis unit 144, which is respectively connected to the data acquisition unit 141 and the first judgment unit 143, is configured to analyze the second subfield of the connection tracking table according to the second judgment result and output a second analysis result;
the second analysis result is the identification frequency of the application flow;
the second judging unit 145 is connected to the second analyzing unit 144, and configured to compare the second analysis result with a preset identification threshold:
if the identification frequency is smaller than the identification threshold, the third determination result output by the second determination unit 145 indicates that the application traffic needs to be identified;
if the recognition frequency is not less than the recognition threshold, the fourth determination result output by the second determining unit 145 indicates that the application traffic cannot be recognized;
the first processing unit 146 is connected to the second judging unit 145, and configured to invoke an identification engine to identify the application traffic according to a third judgment result;
the second processing unit 147 is connected to the second determining unit 145, and configured to discard the application traffic according to the fourth determination result.
In the preferred embodiment of the present invention, the first processing unit 146 specifically includes:
a data acquiring subunit 1461, configured to acquire a feature value of the application traffic and a connection tracking table, where the feature value is a quintuple;
an identification subunit 1462, connected to the data acquisition subunit 1461, configured to perform retrieval in a preset identification feature matching library according to the feature value, where the identification feature matching library includes a feature value corresponding to an application traffic generated by each application program in the user terminal 2 and a predefined identification mark corresponding to an application traffic generated by each application program;
a determining subunit 1463, a connection identifying subunit 1462, configured to determine whether a matching feature value is retrieved:
if the matched characteristic value is retrieved, it is determined that the fifth determination result output by the subunit 1463 indicates that the application traffic identification is successful;
if the matched characteristic value is not retrieved, it is determined that the sixth determination result output by the subunit 1463 indicates that the application traffic is not successfully identified;
a first processing subunit 1464, connected to the determining subunit 1463, configured to record, according to the fifth determination result, the identifier corresponding to the application traffic in the first subfield corresponding to the application traffic;
a second processing unit 1465, a connection judging subunit 1463, configured to add one to the identification times in the second subfield corresponding to the application traffic, and update the identification times into the second subfield.
In a preferred embodiment of the present invention, the method and system for identifying application traffic based on software defined networking of the present invention are applied to a home gateway. In the existing home gateway, the DPI works in a kernel mode and is connected in series in the network data forwarding process of a kernel, the data forwarding stability is influenced by the deep flow analysis, and further, the parameter control of the DPI kernel module is performed by a user mode control program, so that the DPI kernel module is difficult to update and cannot adapt to the scene of rapid change of application flow.
The application flow identification method and the system based on the software defined network are applied to the home gateway, so that the DPI works in a user mode and is connected in parallel in the network data forwarding process, the flow analysis and the data forwarding are separated, the identification control module of the DPI is combined with the identification engine of the DPI, and the DPI feature library is loaded through a dynamic loading technology, so that the application change can be quickly adapted. Meanwhile, an analysis result of the DPI is fed back to the Openflow forwarding kernel through the kernel channel, so that the Openflow flow table can directly apply the analysis result to directly control the flow. The direct control comprises the steps of helping the gateway to develop more diversified services according to the identified application flows, and completing the application of scenes such as speed limitation, acceleration, blocking and the like of different application flows by matching with functions such as a QOS (quality of service) function, a flow blocking function and the like.
While the invention has been described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention.

Claims (10)

1. The application flow identification method based on the software defined network is characterized in that the software defined network comprises a controller and a switch connected with the controller;
setting an identification control module and an identification engine in the switch, wherein the identification control module and the identification engine are connected in parallel in the software defined network;
the software defined network further comprises a user terminal, and the user terminal is accessed to the software defined network through the switch;
the application flow identification method specifically comprises the following steps:
step S1, the switch acquires the application flow of the user terminal and copies the application flow to the identification control module according to a forwarding flow table generated and issued in advance by the controller;
step S2, the switch generates a corresponding connection tracking table according to the application traffic, wherein the connection tracking table comprises a first field aiming at the application traffic, and the first field comprises a first sub-field used for recording an identification mark and a second sub-field used for recording identification times;
and S3, the identification control module respectively analyzes the first subfield and the second subfield according to a preset rule, and determines whether to identify the application traffic according to an analysis result:
if yes, turning to step S4;
if not, discarding the application flow, and then quitting;
step S4, the recognition control module calls the recognition engine and recognizes the application flow according to a recognition feature matching library generated and issued in advance by the controller, wherein the recognition feature matching library comprises feature values corresponding to the application flow generated by each application program in the user terminal and recognition marks corresponding to the application flow generated by each predefined application program:
if the identification is successful, recording the identification mark corresponding to the application flow in the first subfield corresponding to the application flow, and then quitting;
and if the identification is not successful, adding the identification times corresponding to the application flow and updating the second subfield, and then exiting.
2. The method for identifying application traffic based on the software defined network according to claim 1, wherein the step S3 specifically includes:
step S31, the identification control module acquires the connection tracking table corresponding to the application flow;
step S32, the identification control module analyzes the first sub-field of the connection tracking table:
if the analysis result shows that the identification mark exists in the first subfield, the application traffic is identified application traffic, and then quitting;
if the analysis result indicates that the identification mark does not exist in the first subfield, the application traffic is unidentified application traffic, and then the step S33 is performed;
step S33, the identification control module analyzes the second subfield of the connection tracking table to obtain the identification number of the application traffic, and compares the identification number with a preset identification threshold:
if the identification times are smaller than the identification threshold, turning to step S4;
and if the identification times are not less than the identification threshold, discarding the application flow, and then quitting.
3. The method for identifying application traffic based on the software defined network according to claim 1, wherein the step S4 specifically includes:
step S41, the identification control module extracts the characteristic value of the application flow and the connection tracking table, wherein the characteristic value is a quintuple;
step S42, the identification control module calls the identification engine to retrieve in the preset identification feature matching library according to the feature value:
if the matched characteristic value is retrieved, the identification is successful, the identification identifier corresponding to the application traffic is recorded in the first sub-field of the connection tracking table corresponding to the application traffic, and then the process is exited;
and if the matched characteristic value is not retrieved, the identification is failed, and the identification times in the second sub-field in the connection tracking table corresponding to the application traffic are increased by one to update the second sub-field, and then the process is exited.
4. The software-defined network-based application traffic identification method according to claim 1, further comprising a process of updating the identification feature matching library, specifically comprising:
step A1, the controller detects the update information of each application program in the software defined network in real time and sends the detected update information to the identification control module;
and step A2, the identification control module updates the identification feature matching library according to the updating information.
5. The software-defined networking-based application traffic identification method according to claim 1, wherein the identification feature matching library adopts a rough matching manner.
6. The software-defined networking-based application traffic identification method according to claim 1, wherein the identification feature matching library adopts a high-precision matching mode.
7. An application traffic identification system based on a software defined network, which is characterized in that the application traffic identification method based on the software defined network as claimed in any one of claims 1 to 6 is applied, and specifically comprises:
a switch, the switch comprising:
the data acquisition module is used for acquiring the application flow of the user terminal connected with the switch;
a data generating module, connected to the data obtaining module, configured to generate a corresponding connection tracking table according to the application traffic, where the connection tracking table includes a first field for the application traffic, and the first field includes a first subfield used for recording an identification identifier and a second subfield used for recording identification times;
the data copying module is connected with the data acquisition module and used for copying and outputting the application flow according to a forwarding flow table which is generated in advance and issued;
the identification control module is respectively connected with the data copying module and the data generating module and is used for respectively analyzing the first sub-field and the second sub-field according to a preset rule and calling the identification engine to identify the application traffic according to a pre-generated and issued identification feature matching library when the analysis result of the identification control module indicates that the application traffic is identified;
and the controller is connected with the switch, is used for generating the forwarding flow table and the identification matching library, and sends the forwarding flow table and the identification matching library to the switch.
8. The software-defined networking-based application traffic identification system according to claim 7, further comprising a fine data analysis system, respectively connected to the controller and the switch, for performing fine analysis according to the identification result of the identification control module in the switch and sending the fine analysis result to the controller;
the fine analysis result comprises an application program corresponding to the application traffic, and/or a use time period of the application traffic, and/or terminal equipment carried by the application traffic;
and the controller generates a next forwarding path of the application flow according to the fine analysis result.
9. The software-defined networking-based application traffic identification system of claim 7, wherein the identification control module specifically comprises:
the data acquisition unit is used for acquiring the connection tracking table corresponding to the application flow;
the first analysis unit is connected with the data acquisition unit and used for analyzing the first subfield of the connection tracking table and outputting a first analysis result;
a first judging unit, connected to the first analyzing unit, configured to judge whether the first subfield has the identifier according to the first analysis result:
if the identification mark exists in the first subfield, a first judgment result output by the first judgment unit indicates that the application traffic is identified application traffic;
if the identification identifier does not exist in the first subfield, the second judgment result output by the first judgment unit indicates that the application traffic is unidentified application traffic;
the second analysis unit is respectively connected with the data acquisition unit and the first judgment unit and is used for analyzing the second subfield of the connection tracking table according to the second judgment result and outputting a second analysis result;
the second analysis result is the identification frequency of the application flow;
the second judging unit is connected with the second analyzing unit and used for comparing the second analyzing result with a preset identification threshold value:
if the identification frequency is smaller than the identification threshold, the third judgment result output by the second judgment unit indicates that the application flow needs to be identified;
if the identification frequency is not less than the identification threshold, a fourth judgment result output by the second judgment unit indicates that the application traffic cannot be identified;
the first processing unit is connected with the second judging unit and used for calling the identification engine to identify the application flow according to the third judging result;
and the second processing unit is connected with the second judging unit and used for discarding the application flow according to the fourth judging result.
10. The system according to claim 9, wherein the first processing unit specifically includes:
the data acquisition subunit is used for acquiring a characteristic value of the application flow and the connection tracking table, wherein the characteristic value is a quintuple;
an identification subunit, connected to the data acquisition subunit, and configured to perform retrieval in a preset identification feature matching library according to the feature value, where the identification feature matching library includes a feature value corresponding to the application traffic generated by each application program in the user terminal and an identification identifier corresponding to the application traffic generated by each predefined application program;
a judging subunit, connected to the identifying subunit, and configured to judge whether the matched feature value is retrieved:
if the matched characteristic value is retrieved, a fifth judgment result output by the judgment subunit indicates that the application traffic identification is successful;
if the matched characteristic value is not retrieved, a sixth judgment result output by the judgment subunit indicates that the application flow is not successfully identified;
the first processing subunit, connected to the determining subunit, is configured to record, according to the fifth determination result, the identifier corresponding to the application traffic in the first subfield corresponding to the application traffic;
and the second processing subunit is connected to the judging subunit, and is configured to add one to the identification times in the second subfield corresponding to the application traffic, and update the identification times to the second subfield.
CN201910631480.4A 2019-07-12 2019-07-12 Application flow identification method and system based on software defined network Active CN110300065B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910631480.4A CN110300065B (en) 2019-07-12 2019-07-12 Application flow identification method and system based on software defined network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910631480.4A CN110300065B (en) 2019-07-12 2019-07-12 Application flow identification method and system based on software defined network

Publications (2)

Publication Number Publication Date
CN110300065A CN110300065A (en) 2019-10-01
CN110300065B true CN110300065B (en) 2022-11-11

Family

ID=68031100

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910631480.4A Active CN110300065B (en) 2019-07-12 2019-07-12 Application flow identification method and system based on software defined network

Country Status (1)

Country Link
CN (1) CN110300065B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110868360B (en) * 2019-11-19 2023-04-28 深圳市网心科技有限公司 Flow statistics method, electronic equipment, system and medium
CN112995049B (en) * 2019-12-18 2022-09-20 中国电信股份有限公司 Application acceleration method, user side network equipment and system
CN112235160B (en) * 2020-10-14 2022-02-01 福建奇点时空数字科技有限公司 Flow identification method based on protocol data deep layer detection
CN114915598B (en) * 2021-02-08 2023-10-20 腾讯科技(深圳)有限公司 Network acceleration method and device of application program and electronic equipment
CN113595936B (en) * 2021-08-03 2022-09-20 中国电信股份有限公司 Flow monitoring method, gateway equipment and storage medium
CN115361334B (en) * 2022-10-19 2023-01-31 深圳市光联世纪信息科技有限公司 SD-WAN traffic identification method based on deep packet inspection technology

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491025A (en) * 2013-09-13 2014-01-01 北京神州绿盟信息安全科技股份有限公司 Method and device for recognizing application flow
CN103929373A (en) * 2014-03-20 2014-07-16 江苏省未来网络创新研究院 Method for accurately recognizing network application traffic

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10079744B2 (en) * 2014-01-31 2018-09-18 Hewlett Packard Enterprise Development Lp Identifying a component within an application executed in a network
US10291416B2 (en) * 2014-05-15 2019-05-14 Hewlett Packard Enterprise Development Lp Network traffic tuning
US10491529B2 (en) * 2017-06-30 2019-11-26 Cisco Technology, Inc. Automatic rule generation for flow management in software defined networking networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491025A (en) * 2013-09-13 2014-01-01 北京神州绿盟信息安全科技股份有限公司 Method and device for recognizing application flow
CN103929373A (en) * 2014-03-20 2014-07-16 江苏省未来网络创新研究院 Method for accurately recognizing network application traffic

Also Published As

Publication number Publication date
CN110300065A (en) 2019-10-01

Similar Documents

Publication Publication Date Title
CN110300065B (en) Application flow identification method and system based on software defined network
CN110855576B (en) Application identification method and device
US20130294449A1 (en) Efficient application recognition in network traffic
EP2482497B1 (en) Data forwarding method, data processing method, system and device thereof
US20120099597A1 (en) Method and device for detecting a packet
CN108900374B (en) Data processing method and device applied to DPI equipment
CN103067199B (en) Depth message detection result diffusion method and device
CN110417801B (en) Server side identification method and device, equipment and storage medium
CN113825129B (en) Industrial Internet asset mapping method in 5G network environment
CN104994016B (en) Method and apparatus for packet classification
CN102333039B (en) Method for forwarding message, and method and device for generating table entry
CN1703890B (en) Method for protocol recognition and analysis in data networks
US11558769B2 (en) Estimating apparatus, system, method, and computer-readable medium, and learning apparatus, method, and computer-readable medium
CN112019446A (en) Interface speed limiting method, device, equipment and readable storage medium
CN107896182B (en) Message forwarding method and device
CN101741745B (en) Method and system for identifying application traffic of peer-to-peer network
CN109067625B (en) Method, device and system for detecting performance of service channel
CN114070800B (en) SECS2 flow quick identification method combining deep packet inspection and deep flow inspection
KR100501080B1 (en) A method and system for distinguishing higher layer protocols of the internet traffic
KR101344398B1 (en) Router and method for application awareness and traffic control on flow based router
US7953017B2 (en) Application specific service ping packet
JP2007228217A (en) Traffic decision device, traffic decision method, and program therefor
CN115190056B (en) Method, device and equipment for identifying and analyzing programmable flow protocol
CN109510821B (en) Message processing method and device
CN116458196A (en) Analysis-based business classification rules

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant